2 Answers
2

I reported Cisco Bug ID CSCts12090 (CCO required) to Cisco a few weeks ago. I just started using AnyConnect about 6 months ago and have only used version 3.0 and up. Looks like you are using a version earlier than 3.0.

Anyway, the bug I reported is very similar (but worse). AnyConnect is unable to successfully connect when multiple IP's are assigned to the local NIC in certain cases. See the full bug report linked earlier for complete details. It was a confirmed bug and is going to be fixed in AC 3.1. AC 3.1 promises, as I have been told, to be a pretty big rewrite of the local routing table update code that is going to fix this and a slew of other quirks with AC.

While the problem you are experiencing is not exactly like the one I reported in CSCts12090, it is eerily similar.

The Cisco VPN adapter is special, in that in "default" mode, it's designed to send every last bit of network traffic over the tunnel's link. I mirrored that configuration to test, and a normal tunnel actually wouldn't even let me ping the primary address of the local interface.

However, with a split tunnel, where the VPN adapter handles traffic for only specified networks, it seems to be working great for secondary addresses.

If you can, get the connection's configuration changed to be a split tunnel; if your endpoint is an ASA, it'll be split-tunnel-policy and split-tunnel-network-list commands in the relevant group-policy.

That was the terminology, "split tunnel", of what was enabled on the server; and it didn't change. ("The RSA token for the SSL_Vendor profile now has split tunneling enabled. This should now allow vendors to access their local LAN when connected") It did allow the local LAN to access the vpn client machine on the "main" IP (whereas before we couldn't) - but it didn't allow connections to the vpn client machines via other IP addresses.
–
Ian BoydSep 2 '11 at 21:27